Skip to main content

Top 5 Considerations for Effective Security Awareness #ITSecurity #SecurityAwareness #PeopleIssue



"If you want to change attitudes, start with a change in behaviour" 

This quote was taken by William Glasser, an American psychiatrist. I think it's really relative to this subject, as a user, you may be fully aware of IT/Cyber Security and how your actions can reflect on the company you work for...However it doesn't mean it is going to change the way you work. As a company you need to start to change users behaviours...

The below is taken from the company I work for ZeroDayLab blog, which I feel, are the key components to Security Awareness/Behaviour Training. Top 5 are below (part 2 to follow)

Interested in the datasheet? please let me know...

Security, The Risk of Human Error...& a Tricky Thing Called Motivation…

Top 10 Considerations for Truly Effective Security Awareness Training

Even though 52% of breaches are attributed to human error, security awareness is still quite a new thing for many companies.  Well, not that new, there are plenty of induction packs with sections on data protection responsibilities and if you are lucky, a presentation or webinar.  However, we all know the threat environment is looming ever-larger and darker, worse still, it’s constantly changing; so how do you keep your employees not only knowledgeable about the risks presented each day at their keyboards but also motivated enough to identify them and to take action?

The reality is that every organisation and its requirements are different.  Whilst there are key elements, such as phishing campaigns, that should be included as standard to measure and educate security awareness; an effective strategy needs to tick additional boxes to create a true change in 
security behaviour.

1 Test & Benchmark
Before you commence security awareness training; find out the truth!  I’m afraid you might be shocked, most companies are.  Common click-through rates from phishing programmes we have delivered for clients have seen click-through-rates achieve up to 30+%.  When you consider that it can take less than 30 minutes for a threat to establish itself on your network, just one click could seriously jeopardise your security. 

If the result is the kind of click-through-rates a Marketing Manager would die for, you would be forgiven for thinking, ‘Well, what’s the point in testing if it’s likely the so many staff will fall for it?  I know we have a problem.’  The benefits of a phishing test are not just confined to identifying problems and benchmarking for improvement.  Utilising the results of an actual, live example which the trainees received and many of them clicked on, resonates with staff far more than giving generalised real world examples because they experienced it.  It really could happen to them.  Human behaviour is such that an individual never wants to jeopardise the tribe, nor do they want to be the fool.

2 Elements of Testing – It’s Not Just About Phishing!
There are certain key components to security awareness testing and training which should form part of a successful campaign but it is their mode of delivery that makes the difference.  Successful campaigns will involve personalising that message to your company.  This is not about just raising click-through-rates for your security company to report to you; this is exactly what the cyber criminal will do.  They know, that on the other side of the computer is a person that is ultimately motivated by self-interest.  The most effective spear-phishing campaigns carefully target their prey and learn about them.  They will create fake websites and branded emails and they will learn the name of the manager in the purchasing department that they want to send their malware-laden ‘invoice’ to.  Effective testing and training involves activating your staff’s self-interest button; coffee and gym vouchers, for example, have been popular tactics used to test employee resilience.

On a similar note, cyber criminals will exploit another human trait.  Trust. Consider the wider possibilities for breach, over-and-above email.  Digital social engineering is an obvious culprit but what about physical social engineering?  Security awareness also comes down to what information is given out over the phone but also who is allowed into the building.  How often do you check a staff badge closely, or allow someone to follow you through a secure door? 

3  Timing
Consistency is the key to security awareness.  Companies undertaking security awareness training once at induction will not succeed in raising levels of awareness and staff security. A message delivered once, and in the fog of a lot of other information, will be lost. The biggest brands know it, they repeat their message again and again until people at first recognise their message and then respond.  Involve HR & Training and Internal Communications to enable a consistent programme of messaging and to keep the profile of security awareness high within the business.  This is particularly important where there is high staff turnover and large customer support departments.  The most effective programmes review and re-visit their training programmes on a regular basis.

4  Training Methods
We have already mentioned how ‘real world’ examples drive greater awareness and engagement by using results from phishing resilience tests.  Again, depending on the structure of the company, different methods might be more effective, or quicker, with large numbers of people.  Interactive seminars and/or computer-based training are at their best when followed up by internal marketing programmes and access to further information covering topics such as how to identify phishing, or what information not to give out over the phone. Additionally, security awareness training may need to be adjusted in line with the job role, e.g. customer services or accounts as opposed to shop floor.

5 Who Holds the Keys to the Kingdom? – Why Top-Down Training is Essential

Just who does hold the keys to your kingdom? Spear-phishing is targeted.  Board Members, Senior Managers and their PAs are just as vulnerable as the sales office, in some cases, more so.  Top-down training instils a security-orientated culture benefiting not only the business but also its customers. 

Next week: check back for Considerations 6-10 !

Labels:

Comments

Post a Comment

Popular posts from this blog

Aleksei Burkov Pleads Guilty for running Online Criminal Marketplace

Story : Aleksei Burkov, 29 of St. Petersburg, Russia, has pleaded guilty in a US court to running a site that sold stolen payment card data and administering a highly secretive crime forum that counted among its members, some of the most elite Russian cybercrooks. More Detail : Aleksei, who was extradited to the US from Israel in November, pleaded guilty on Thursday to running a website that helped people commit in credit-card fraud. He is accused of running a website that let people buy stolen credit-card numbers for anywhere from $3 to $60 . People used the numbers to make more than $20 million in fraudulent purchases. Prosecutors say Burkov even offered a money-back guarantee if a stolen card number no longer worked.  Company: Aleksei admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being the founder and administrator of DirectConnection , an underground community that attracted some of the world’s most-wanted Rus
Post a Comment
Read more

New Venture

It's good to be back blogging...the last time I posted I worked as a Customer Success Manager for a DNS company. Since then, I have ventured to the CDN world, with the added mix of Cyber Security, WAF. Cyber Security is a true passion of mine and after nearly 10 years in this space, I love seeing how the industry and technology place has progressed and also ironically, stayed the same. I have enjoyed seeing the likes of Jane Frankland prosper in the field and be truly recognised as a thought leader with 'Women in Security' and her bestselling book 'IN Security'. Over the last few years I have met some truly amazing people, connected through the Women in Leadership platform which introduced me to a range of great individuals that broaden my knowledge into work places, diversity and pushing your own voice. Customer Success (CS), as a function is and should be the core of any business, concentrating on retention, relationship, client advocacy, project managing
Post a Comment
Read more

HCA International fined 200k for Data loss #ITSecurity #DataSecurity #unencrypted

HCA International Ltd, private health firm are the latest to be fined by the ICO.  They have been fined £200,000 for failing to keep data secure after it was found that conversations had by IVF patients were online. Audio recordings of interviews with patients were being sent to a company unencrypted in India for transcription. The Indian company was unable to maintain secure access due to an unsecure server. By failing to ensure its subcontractor had acted responsibly, HCA International failed to comply with the seventh data protection principle. More details on the monetary penalty notice click here Supplier Risk is a huge concern for most companies - You may have all the bells and whistles when it comes to security your infrastructure but your partners may not. Failing to ensure due diligence in the Supply chain costs - with HCA it was £200,000 - next year it would of been much more!! #EUGDPR
1 comment
Read more